JVN#80476432: web2py vulnerable to OS command injection

Overview

web2py contains an OS command injection vulnerability.

Products Affected

web2py 2.24.1 and earlier

Description

web2py web application framework contains an OS command injection vulnerability (CWE-78).

Impact

When web2py is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Link
web2py	web2py Web Framework
	web2py Download
	GitHub \| fixed vulnerability JVN#80476432

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score: 8.1

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Score: 6.8

Access Vector(AV)	Local (L)	Adjacent Network (A)	Network (N)
Access Complexity(AC)	High (H)	Medium (M)	Low (L)
Authentication(Au)	Multiple (M)	Single (S)	None (N)
Confidentiality Impact(C)	None (N)	Partial (P)	Complete (C)
Integrity Impact(I)	None (N)	Partial (P)	Complete (C)
Availability Impact(A)	None (N)	Partial (P)	Complete (C)

Credit

Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2023-45158
JVN iPedia	JVNDB-2023-000101

JVN#80476432 web2py vulnerable to OS command injection